Why Cybersecurity and Quality Are One and the Same | Ep. 26 - Full Transcript | The Med Device Cyber Podcast

Hello there and welcome back to another episode of The Med Device Cyber Podcast. I am your host, Trevor Slatterie. Unfortunately, our co-host Christian Espinosa is not able to make it on this one; he's tied up with some flight delays. Today, we're going to be talking about some regulatory strategies, ensuring that we're getting quality systems put into place early and effectively in medical products. Some of the common regulatory pitfalls that we see a lot of manufacturers face and, of course, how these regulations are going to apply to emerging technologies, namely AI and machine learning. I'm joined here by Ash from Ingenious Solutions. How are you doing today? Doing well. Thanks for having me on, Trevor. Perfect. Well, I'd love to hear a little bit about what you guys do over at Ingenious Solutions and, of course, a little bit about yourself as well. Yeah, and you know, the two stories obviously intertwine. My name is Ash Garuli; I'm the principal and founder of Ingenious Solutions, and I have a long history of working on medical device software. I belong to a niche group of people that understand regulatory requirements and software requirements intimately because I've kind of dabbled in different roles in the software development lifecycle. I've had roles coding, testing, product managing, and then most of my career ended up being in quality management systems and regulatory affairs. All of that led me to the creation of Ingenious Solutions, which is a boutique consulting firm focused on medical device software development. So what we do is we help early to mid-size companies with quality management system or early regulatory strategy consulting for medical device software. Got it. So you're ensuring that they're essentially getting their ducks in a row as far as their quality system, making sure that they're identifying any of the regulatory approaches that they'll need to take, of course, the regulations that they adhere to, and kind of helping them along that path. 100%, exactly. You see, the requirements around software are basically very different from hardware. However, a lot of the regulations are old frameworks from the prehistoric old software firmware days. So it is a whole art and its own specialty to try to have a very streamlined approach to software quality management systems. So that's what I specialize in. Definitely. Yeah, there's obviously a ton of complexity in software, and as the medical device landscape is evolving, pretty much everything has a software component now. Everything's connecting to the internet in one way or another. So when we're introducing that software component, we're introducing a little bit of risk as well, and that's where it can tie into the cybersecurity side of things. Often times, I feel like they are portrayed as separate problems. You have your software issues, you have your cybersecurity issues, but they're very closely related. In my mind, cybersecurity is essentially evidence of quality software. If you have secure software, you have good software. So ensuring that you're building out your software with these considerations in mind is important, but it can be a little bit difficult. The guidance documents are complicated; there are however many standards floating around that manufacturers have to try to adhere to. So I'm sure there's a lot involved with getting that QMS set up properly. Well, 100%. I think the idea that quality management system and cybersecurity are two different entities is flawed at its core and actually results in a lot of overhead. When you think about what a quality management system is about, 1345 was based on 9001. At the end of the day, the stated objective of a quality management system is to meet customer requirements. When you look at the FDA regulations, they talk about safety and effectiveness, and cybersecurity fits throughout all that. Essentially, if you were actually being diligent long before the FDA got very stringent on cybersecurity, came out with all the guidances, and all the detailed requirements, if you were being diligent enough in terms of meeting your customer requirements, safety, and effectiveness requirements in your QMS, you would have already done almost all of the things that the FDA is asking you to do on the cybersecurity front. So I really see the two as one and the same. I definitely agree. Yeah. And the whole point, you know, the standards that we're adhering to under FDA guidance, these aren't very new standards. The FDA guidance, of course, came out in September of 2023, which is still fairly recent, but everything that it's based upon, you know, ISO 62304 and then I81,0001-5-1, these aren't new; these are older than the FDA pre-market guidance. UL 2900 is another example of that. So manufacturers that had been adhering to these were already going to be compliant.